Java Keystore... why is it needed for valid certs?
At work, we have a number of 3rd party vendors that we post to with CFHTTP calls. Unless we add their certificate to the java keystore, the CFHTTP connections fail. It wasn't a big deal at first, but the more vendors we support, the more certificates I add... and the more often a certificate is expiring. It is to the point where I'm updating one certificate or another every month or two. My question is why do I have to add these certificates to the keystore at all? They validate fine in a browser (in fact, that is where I always get the x.50- certificate from... by exporting it through the browser). This is only an issue for vendors that we have to CFHTTP post to; I do not need to import certificates to support vendors with web services. Is there a better method that wouldn't require updating the keystore everytime a certificate is renewed? .:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349869 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Java Keystore... why is it needed for valid certs?
My question is why do I have to add these certificates to the keystore at all? They validate fine in a browser (in fact, that is where I always get the x.50- certificate from... by exporting it through the browser). The reason they validate fine in a browser is because browsers come with a pretty large set of root certificates. The JVM does not. My guess is you could import all of the root certificates from your browser into your JVM if you really wanted to, and not have to worry about anything for quite a while. Now, the fact that browsers come with so many trusted certificates is actually kind of a problem - when someone misuses a CA cert, it can be hard to ensure that the cert they fraudulently create isn't trusted by browsers by default. There isn't really a good universal revocation process. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349870 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Java Keystore... why is it needed for valid certs?
That is more or less what I suspected but wasn't sure. Thanks for the clarification, Dave. .:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Monday, February 13, 2012 12:54 PM To: cf-talk Subject: Re: Java Keystore... why is it needed for valid certs? My question is why do I have to add these certificates to the keystore at all? They validate fine in a browser (in fact, that is where I always get the x.50- certificate from... by exporting it through the browser). The reason they validate fine in a browser is because browsers come with a pretty large set of root certificates. The JVM does not. My guess is you could import all of the root certificates from your browser into your JVM if you really wanted to, and not have to worry about anything for quite a while. Now, the fact that browsers come with so many trusted certificates is actually kind of a problem - when someone misuses a CA cert, it can be hard to ensure that the cert they fraudulently create isn't trusted by browsers by default. There isn't really a good universal revocation process. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349872 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm